HTTP headers are the list of name-value pairs that are present in both the requests and responses. They give information about the content being transferred, client/server software, how the content should be handled, and security policies etc.
Following headers must be set in the responses generated by the OpenSpecimen app. This ensures users have a reduced risk of security issues like XSS, clickjacking, drive-by downloads etc.
Header | Value | Description |
|---|---|---|
X-Content-Type-Options | nosniff | Helps prevent drive-by downloads. |
Strict-Transport-Security | max-age=31536000; includeSubDomains | Puts a constraint on the browsers that the OpenSpecimen app should be accessed using HTTPS. |
Content-Security-Policy | script-src 'self' 'unsafe-eval'; | Allow scripts only from the origin. Helps in preventing XSS. |
X-Frame-Options | SAMEORIGIN | Allows framing of pages from the same origin. Helps in preventing click-jacking |
Referrer-Policy | same-origin | Prevents sending referrer for cross-origin requests. Prevents accidental data leaks. |
Permissions-Policy | accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=(self),gyroscope=(),interest-cohort=(),magnetometer=(),microphone=(),midi=(),payment=(),sync-xhr=(self),usb=(),xr-spatial-tracking=() | Disable all browser features that are not used by the app. |
Apache Configuration
Following should be added to the OpenSpecimen app virtual host configuration.
Header always set X-Content-Type-Options nosniff Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Header always set Content-Security-Policy "script-src 'self' 'unsafe-eval';" Header always unset X-Frame-Options Header set X-Frame-Options "SAMEORIGIN" Header always set Referrer-Policy "same-origin" Header always set Permissions-Policy "accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=(self),gyroscope=(),interest-cohort=(),magnetometer=(),microphone=(),midi=(),payment=(),sync-xhr=(self),usb=(),xr-spatial-tracking=()"